Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 22016

Summary: lcap removes all capabilities
Product: Gentoo Linux Reporter: Mark Aikens <marka>
Component: Current packagesAssignee: Patrick Kursawe (RETIRED) <phosphan>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Mark Aikens 2003-05-31 15:29:47 UTC 
Using lcap to remove a single capability removes them all. 

Reproducible: Always
Steps to Reproduce:
1. lcap CAP_NET_RAW 
2. lcap 
Actual Results:  
lcap shows all capabilities removed 

Expected Results:  
lcap should have only removed the CAP_NET_RAW capability 

Portage 2.0.48 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) 
================================================================= 
System uname: 2.4.20-m2 i686 AMD Athlon(tm) XP 2000+ 
GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://www.ibiblio.org/gentoo/" 
CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config 
/usr/kde/3/share/config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config 
/usr/share/config" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" 
PORTDIR="/usr/portage" 
DISTDIR="/usr/portage/distfiles" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/work" 
PORTDIR_OVERLAY="/usr/local/portage" 
USE="x86 oss 3dnow apm avi crypt cups encode gif jpeg kde gnome libg++ mikmod 
mmx mpeg ncurses nls pdflib png spell truetype xml2 xmms xv zlib alsa gdbm berkdb 
slang readline arts tetex aalib tcltk java guile postgres X sdl gpm tcpd pam libwww ssl 
perl python imlib oggvorbis gtk qt motif opengl cdr mbox -svga -esd -quicktime" 
COMPILER="gcc3" 
CHOST="i686-pc-linux-gnu" 
CFLAGS="-march=athlon -O3 -pipe" 
CXXFLAGS="-O2 -mcpu=i686 -pipe" 
ACCEPT_KEYWORDS="x86" 
MAKEOPTS="-j2" 
AUTOCLEAN="yes" 
SYNC="rsync://rsync.gentoo.org/gentoo-portage" 
FEATURES="sandbox ccache"
Comment 1 Patrick Kursawe (RETIRED) gentoo-dev 2003-06-11 02:16:17 UTC 
Strange things happening...

If I just lcap -vv CAP_SYS_MODULE, all capabilities are blanked.
If I try lcap -vv CAP_SYS_TIME, I can safely remove CAP_SYS_MODULE afterwards, but
trying CAP_NET_RAW then blanks everything again. Seems it has strange problems with certain bit combinations. Investigating...
Comment 2 Patrick Kursawe (RETIRED) gentoo-dev 2003-06-11 03:19:50 UTC 
Looks like sometimes it can't read back the data it writes to the kernel via /proc - still no idea who gets it wrong, the kernel or lcap. Stay tuned.
Comment 3 Patrick Kursawe (RETIRED) gentoo-dev 2003-06-11 06:24:30 UTC 
Got it.
The kernel (at least 2.4.20) uses the function proc_dointvec_bset from kernel/sysctl.c for access to /proc/sys/kernel/cap-bound - this function forbids any access if CAP_SYS_MODULE is not available (please don't ask me why they made it this way).
lcap is satisfied if it can open the file (which will work), then it reads from it (which fails, but isn't caught). It gets a zero and displays all capabilities as deleted though they aren't.
Just removing CAP_NET_RAW does not show this effect (at least not on my system). Please try to verify this with the new -r1 revision which should be in portage soon. It should print an error message if it can't read the capabilities.
Comment 4 Mark Aikens 2003-06-12 06:04:53 UTC 
OK, thanks. I just won't remove CAP_SYS_MODULE. Removing other capabilities work as expected.
Comment 5 Patrick Kursawe (RETIRED) gentoo-dev 2003-06-12 06:22:35 UTC 
Fine. Setting this to fixed.
Comment 6 Patrick Kursawe (RETIRED) gentoo-dev 2003-06-12 06:23:11 UTC 
Fixed.